The apiv1 writes a chunkgroup to the gridfs storage metadata.
If a user chooses a duplicate chunkgroup the upload stream may get appended to finished blob.
This results into wrong links and the blob of the original file gets removed if the later files gets removed and a client may get the exception:
{"error":"Balloon\\Filesystem\\Exception\\NotFound","message":"storage blob is gone","code":57}
Fetch content from node created in 1. will result in storage blob is gone
Expected behavior
Only select chunkgroup if metadata.temporary is true.
Environment
balloon server version: v2.6.8
Additional context
Note this is not a security issue since the server handles chunkgroups on a per users basis and the user is only able to destroy files which are owned by himself.
This bug does not occur in the beta releases of v2.7.x since 2.7 has an upload session management #382.
Describe the bug
The apiv1 writes a chunkgroup to the gridfs storage metadata. If a user chooses a duplicate chunkgroup the upload stream may get appended to finished blob. This results into wrong links and the blob of the original file gets removed if the later files gets removed and a client may get the exception:
{"error":"Balloon\\Filesystem\\Exception\\NotFound","message":"storage blob is gone","code":57}
To Reproduce
storage blob is gone
Expected behavior
Only select chunkgroup if metadata.temporary is true.
Environment
Additional context
Note this is not a security issue since the server handles chunkgroups on a per users basis and the user is only able to destroy files which are owned by himself.
This bug does not occur in the beta releases of v2.7.x since 2.7 has an upload session management #382.